User details such as your name, birthday and address can be accessed in a security loophole on Skype for Android. Photo courtesy of Skype
A recently discovered security flaw in Skype for Android mobile devices could give prying eyes a peek at your personal data, including full name, date of birth and contact information.
Using a custom-made app to test Skype Video for security issues, mobile blog Android Police discovered a simple exploit to access many sensitive user details in the current version of Skype for Android mobile phone users.
After downloading and analyzing a leaked version of Skype Video, which appeared earlier in the week, Android Police blogger “Justin Case” discovered how poorly the app protected user data.
He was able to access user data with some custom software to break through the Skype app’s security. After testing this on the currently released version of Skype video for Android — which has been in wide release since October 2010 — he found that it contains the same security issues.
The exploit gains access to the file “main.db” in the Skype directory. This file holds sensitive information such as your first and last name, birthday, billing address, e-mail addresses, home and cellphone numbers. Information on all the people in your address book is accessible through the contacts database, and all stored chat logs are also accessible through the chat database.
The custom app, which the Android Police named “Skypwned,” doesn’t require root access to the phone in order to exploit Skype’s security loophole.
“This means that a rogue developer could modify an existing application with code from our proof of concept (without much difficulty), distribute that application on the Market, and just watch as all that private user information pours in,” Android Police wrote.
The loophole doesn’t appear to be showing in the Skype Mobile for Verizon version of the app, according to Android Police.
Skype provided Wired.com with a statement, claiming it was working to address the vulnerability:
It has been brought to our attention that, were you to install a malicious third-party application onto your Android device, then it could access the locally stored Skype for Android files.
These files include cached profile information and instant messages. We take your privacy very seriously and are working quickly to protect you from this vulnerability, including securing the file permissions on the Skype for Android application.
To protect your personal information, we advise users to take care in selecting which applications to download and install onto their device.
This isn’t Skype’s first time to take heat on security issues. In March, advocacy group Privacy International called upon Skype to tighten up some of its security measures in a vehemently worded blog post. The blog post cited the ease of a Skype user’s ability to imitate other users, as well as a lack of HTTPS-level of protection for its downloads.
The blogger who detected the security issue suggests three ways for Skype to fix it: the use of proper file permissions, the institution of an encryption scheme and a thorough security review of the company’s apps before their release.
See Also:
They may not be able to please all of the people all of the time, but President Obama and gang are doing their best to reach across the OS aisle with a new Android app. Like the iPhone edition that came before it, this official White House app offers presidential photos and video, updates from the blog and briefing room, and alerts about events and announcements. Unfortunately, all of the people won’t be pleased with this new update, either, as the thing is still only available to iOS and Android users, but that’s politics for you.
